Implementation#

Top Level#

stageuser-activate#

When activating a stage user, we need to copy (if they exists) the credential from the stage entry to the active entry. Helpdesk is granted the access to do that:

dn: cn=stage users,cn=accounts,cn=provisioning,$SUFFIX
add:aci: '(targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(read, search) userdn = "``\ ```ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX`` <ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX>`__\ ``";)'

TODO: need the same aci for ‘stage user administrator ‘ TODO: clarify if admin is helpdesk or support engineer

user-del#

When the option –preserve moves the entry from the Active container to the Delete container, we need to remove the credential. This requires the following aci for the helpdesk:

dn: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
add:aci: '(targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Admins allowed to reset password and kerberos keys"; allow(read, search, write) userdn = "``\ ```ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX`` <ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX>`__\ ``";)

TODO: clarify if admin is helpdesk or support engineer

Authentication#

In order to prevent authentication with Delete and Stage users, the following pointer cos is implemented at the provisioning/accounts level:

dn: cn=provisioning account lock,cn=accounts,cn=provisioning,SUFFIX
objectClass: top
objectClass: cosSuperDefinition
objectClass: cosPointerDefinition
objectClass: ldapSubEntry
costemplatedn: cn=Inactivation cos template,cn=staged users,cn=provisioning,SUFFIX
cosAttribute: nsaccountlock operational
cn: provisioning account lock
dn: cn=provisioning account lock cos template,cn=accounts,cn=provisioning,SUFFIX
objectClass: top
objectClass: extensibleObject
objectClass: cosTemplate
cosPriority: 1
cn: provisioning account lock cos template
nsAccountLock: true